1

I am simply inserting the text that you write in the textarea in mySQL without using any extra method to protect my site... Actually i just made a test wrote the html code that creates a input textbox to the textarea and saved it into mysql, which prints me the component on the page...

How can i make it write secure content on textarea that does not allow you to write html tags or smth, I just wanna increase the security of my site.

Thanks

Lulzim
  • 865
  • 7
  • 18
  • 28
  • 1
    Have a look to this http://stackoverflow.com/questions/129677/whats-the-best-method-for-sanitizing-user-input-with-php – Ander2 Sep 27 '13 at 12:13

2 Answers2

2

if $textarea contains your textarea value,you can do $db_value = mysql_real_escape_string(strip_tags(trim($textarea))) and insert $db_value to the database.

strip_tags strips the text of html tags and mysql_real_escape_string encodes special characters and makes it safe to insert into a database...

for mysql_real_escape_string: check http://php.net/manual/en/function.mysql-real-escape-string.php

for strip_tags check: http://www.php.net/manual/en/function.strip-tags.php

Shikhar Subedi
  • 606
  • 1
  • 9
  • 26
2

Try to use Prepared Statements
http://php.net/manual/de/mysqli.quickstart.prepared-statements.php

And remove all unwanted chars from the given text and finally use mysql_real_escape_string to escape the string for MySQL.

Basti Funck
  • 1,400
  • 17
  • 31